HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

When considering the sale of your healthcare practice (regardless of whether you are a physician, physical therapist, dentist, optometrist, etc.), you will undoubtedly be confronted by a litany of questions:

Valuation – how do I ensure I get a fair price?

Type of Sale – am I selling assets or majority of stock/shares/membership interest in the entity?

Due Diligence – how much research and risk assessment must I do in regards to existing liabilities (for both myself and the buyer) as well as the security/financing of the buyer?

Holdover – how long should I remain onboard and accessible to the buyer – as an employee or an independent consultant?

Termination – what will trigger cancellation of the transaction?

All of these questions warrant consultation with an attorney with experience in structuring such transactions.

However, in addition to the traditional machinations of such a transaction, you will need to receive consultation from an attorney aware of additional aspects of the healthcare profession that make the sale of a practice more difficult. Namely, you need to be aware of the requirements for patient consent of the transfer of files and HIPAA Compliance.

Notification Requirement to Patients

Pursuant to state and federal regulations, patients must be given the option to choose another health care provider and/or have a copy of their medical records sent to the physician of their choice. Specifically, medical records and other personal health information should not be transferred to another health care practitioner or practice without the patient’s informed consent. As such, when moving forward with a contemplated sale of practice, it is important that the mechanics of informing patients of the contemplated sale and providing them the option to choose their own provider is incorporated into the timing of the transaction.

Unfortunately, this often leads to the sale of the practice taking much longer than what might be within the parties' expectations.

Sharing Patient Files and Medical Records through Business Associate Agreement

As the above transition is unavoidable, buyers and sellers can and should embrace it. This can be accomplished by ensuring there is either a holdover of the old practitioner within the new practice–as an employee or an independent contractor. Furthermore, the seller is permitted to then share his or her patient files and medical records (i.e. PHI) with the buyer pursuant to a HIPAA-compliant Business Associate Agreement. This is permitted because the buyer, as a business associate, is using the PHI from the seller for “health care operations”, a permitted use under HIPAA. “Health care operations” include business management and general administrative operations of the entity, including the sale, transfer, merger or consolidation of all or part of the covered entity with another covered entity.

The American Medical Association provides further guidance for the transfer of patient records upon the sale of a medical practice. Ethical Opinion 7.04 states, “The transfer of records of patients is subject, however, to the following: (1) All active patients should be notified that the physician (or the estate) is transferring the practice to another physician who will retain custody of their records and that at their written request, within a reasonable time specified in the notice, the records or copies will be sent to any other physician of their choice… (2) A reasonable charge may be made for the cost of duplicating records.”

Priming or Retaining Medical Records

Practitioners should also check state and federal regulations regarding recordkeeping requirements and/or retention. When selling or closing a practice, practitioners should review their medical records to ensure that the records contain all information and documentation as required by state and federal law.

Medical record ownership is established by state law, licensing regulations, and judicial decisions. Generally, the practitioner's patient file and medical record is owned by the practitioner or corporate entity responsible for compiling and maintaining it, who also serve as the custodian of its contents. The Health Insurance and Portability Act of 1996 (“HIPAA”) expanded patients’ right to access, audit and amend their protected health information (“PHI”) pursuant to the HIPAA Privacy Standards. As custodian, the practitioner is responsible for providing their patient with informed written consent regarding their role as well as how the patient may access and transfer its contents at will to desired third-party practitioners. Practitioners, in this dual role as custodian and owner, must take special care regarding the destruction, retention, or transfer of medical records when their practice is sold or closed.

Practitioners who are selling or closing their practice should ensure that the control, ownership and patient’s right to access their medical records is specifically addressed prior to transferring or storing any medical records in order to be in compliance with the applicable state law.

Medical marketing is at least three years behind any other industry for two reasons: First, HIPAA laws determine how patient information is gathered, stored and used. Second, the FDA imposes regulations on how medical practices can market their products and services.

Each day, millions of Americans search for health information online. Because online search is a major part of healthcare consumers’ decision-making, there is a risk that their protected health information (PHI) could be accidentally exposed by a medical facility, causing a HIPAA violation.

As a medical practitioner, it is your responsibility to ensure that any protected health information (PHI) you are collecting for your patients is safe and protected. Technological advancements can certainly add more efficiency to routine operations, but new technologies may bring new concerns with HIPAA compliance.

HIPAA compliance is one of the biggest concerns for medical practitioners, and for a good reason: Privacy violations can result in severe consequences, including hefty penalties and even jail time. To make matters more complicated, the HIPAA law is vague on what actions medical practices must take to make their digital marketing efforts HIPAA-compliant.

So, what best practices can you follow to keep your online marketing efforts HIPAA-compliant?

HIPAA compliance and digital marketing

Online marketing is vital for the growth of medical practices, as many patients turn to online sources to learn more about symptoms and treatment options and to search for nearby medical practices. Most medical practices have a website, and many use email marketing and social media to reach out to the target audience. Security is the biggest concern in these media. The following guidelines will help you stay HIPAA-compliant.

1. A HIPAA-compliant website: If you want potential patients to find your practice online, it is critical for you to have an active online presence. However, HIPAA laws are a concern. While it can be challenging to have a HIPAA-compliant website, it is not impossible. However, you must ensure your practice website has these elements to comply with HIPAA laws:

Patient data must be encrypted: Patient-related information contained in contact forms, appointment request forms and online check-in forms is at risk and must be encrypted. You can protect the private information by using an SSL certificate on your website. SSL complies with HIPAA’s data encryption standards and keeps private patient information safe.

Store data on a HIPAA-compliant server: Your server should have an antivirus, offsite backup, firewall and OS patch management in order to stay HIPAA-compliant. Also, make sure data is encrypted when you are storing it on the server.

Use a secure network to transmit HIPAA-protected information: You should never send HIPAA-protected information through an unencrypted network to an insecure email account. If you want to send or receive HIPAA-protected information by email, it must be encrypted end-to-end. A good alternative would be to store private information on your HIPAA-compliant server and set up email alerts to notify you any time new data is submitted.

Properly dispose of patient-related information: Practices are legally required to retain patient records for a particular period. When you are finally disposing of private information, it is recommended to delete all backups, archives as well as history stored on your server.

Regularly update privacy policy on your practice website: Your privacy policy must be regularly updated to keep up with any changes in your practice’s privacy policy to stay HIPAA-compliant.

2. HIPAA-compliant email marketing: It is important to design an email marketing strategy that will keep your practice on the right side of HIPAA compliance. Follow these basic tips:

An email containing PHI must be encrypted: Even basic information as simple as a name and email address of a patient can be considered PHI. So the best practice is to encrypt all professional emails. You can either choose to manually encrypt each professional email before sending it out or use a HIPAA-compliant automated service.

Make sure email marketing services are HIPAA-compliant: Just because you are paying for a service, do not make the mistake of assuming it is HIPAA-compliant. In fact, many email marketing services are designed for corporate use. When choosing an email marketing service, ensure that it offers HIPAA-compliant emails.

Never send email communication to patients who did not request it: Most practices ask for patients’ email addresses on their sign-in forms. However, unless the patient has indicated that he or she wishes to receive emails from your practice, you should avoid sending any email. You can simplify this process by adding a question about the patient’s communication preferences on your sign-in forms. However, even when the patient requests email communication, you must ensure appropriate safety measures.

Inform patients about the potential risks of email communication: Despite taking all security measures on your end, there is a good chance that your patients’ email services are not secure enough to prevent potential breaches. It is important that your patients understand this risk before agreeing to email communication with your practice.

3. HIPAA-compliant social media marketing: Social media can be a great way for practices to reach out to potential and current patients. However, staying HIPAA-compliant is a major concern. A slip-up will not only make your practice look bad, but it can also put you in trouble with the law. With some effort and knowledge, your practice can be active on social media without violating HIPAA. Follow these guidelines:

Stay up-to-date: Laws may change, so it is sage advice to regularly check for updates and make sure your social media efforts are in line with the current laws. You can look up the U.S. Department of Health and Human Services website for the most up-to-date information.

Create a social media policy for your practice: A social media policy will let your employees know what is allowed to post, and what is not allowed. In your social media policy, you can also establish roles and responsibilities for staff members who will be posting on your practice’s behalf.

Never include any identifiers in posts: With so much of the information available online, even an insignificant detail could help users identify your patient. Basic details such as date, time and location can give away a patient’s identity. When positing on social media, you must make sure to remove the following identifiers:

Name

Location

Dates

Contact numbers

E-mail addresses

Social security numbers

Medical record numbers

Health plan beneficiary numbers

Account numbers

Certificate/license numbers

Vehicle serial numbers and license plate numbers

Device identifiers and serial numbers

URLs

IP address numbers

Biometric identifiers such as finger and voice prints

Full-face photographs

Other unique identifying numbers, characteristics or codes

Keep separate social media profiles for personal and professional use: Even if you are an individual physician, you should have a separate personal profile for discussing anything outside of healthcare. The same goes for your employees. Your employees should be instructed not to accept a friend request from a patient as that could lead to conversations that may violate HIPAA guidelines.

Staff training: An integral part of HIPAA compliance

According to industry reports, of the 268 breach incidents reported to the Department of Health and Human Services in 2015, nearly 73 percent of the incidents occurred at providers’ sites. While network security at the providers’ sites is a vital concern, the vast majority of incidents have more human causes.

Nearly four of every five breach incidents at the providers’ sites have nothing to do with server-network hacking. They are mistakes rooted in human behavior. These events could have been prevented by staff, had they been trained on HIPAA laws.

The most basic requirement of HIPAA is training. The law requires appropriate training for every employee on his or her responsibilities to protect patient information. Training should aim at engaging employees through case studies of actual breaches. Training programs should include real-life exercises in which staff members are presented situations and choices that have led others into privacy breaches. During the training sessions, decisions should be discussed, situations should be simulated, new and more efficient processes should be established, and a sense of responsibility should be fostered.

Even with safety measures in place to protect your patients’ private information, it is still possible for a violation to occur if employees are not informed. You should provide HIPAA compliance training to employees when they start working at your practice. This training should include information about the HIPAA privacy rules, violations and monitoring patient record requests.

In order for your medical practice to be HIPAA-compliant, each staff member must be HIPAA-compliant. It is your responsibility to educate, inform and train your employees on HIPAA regulations and the consequences of non-compliance.

At Practice Builders, our team of online marketing and HIPAA-compliance experts will work closely with you to ensure an optimum patient experience. Through content marketing, HIPAA-compliant emails, social media and strategic SEO, we help you grow your medical practice while you focus on providing top-notch care for your patients.

This month's HIPAA Survival Guide Newsletter article uses the metaphor from the Fifth Discipline, a book written by Professor Peter Senge circa 1990, to describe the system approach required if organizations what to change their compliance DNA. Senge's book contemplates what's required for a "learning organization." This article contemplates what 21st century compliance DNA looks like and why it matters that "systems thinking" underpins all compliance initiatives. First, we address what Senge calls the "learning disabilities."

Subscribe to our FREE HITECH / HIPAA Compliance Newsletter here.

1. I am My Position

In the 24/7/365 online world that all knowledge workers now inhabit it is hard to predict who within an organization will be the compliance (specifically in the case "cybersecurity") change agent. It's important that knowledge workers do not get caught up in the organization pecking order because it generally only serves to constrain where innovative ideas may come from. This is especially true with respect to the kind of comprehensive systemic approach to cybersecurity required to reduce risks to levels that are reasonable and appropriate pursuant to the regulatory regime targeted.

One thing is certain, the functional group where the cybersecurity change agent ("CA") may emerge is an unknown unknown. The CA may not emerge from the "usual suspects" (e.g. information technology). Why is that? Because a cybersecurity vision and the resources to get it implemented requires much more than technical acumen. It also requires communication skills necessary to transform an organization's cybersecurity initiative into something that it does as part of the value it delivers to customers/patients, and not some "bolt on" necessary evil activity.

2. The Enemy is Out There

Compliance in the 21st century is not about reacting to Big Brother looking over your shoulder but rather delivering value to customers. There are no regulatory agencies "out there" that you should be at war with. You are at war with the increasing sophisticated "bad guys" that want access to your customer's sensitive data to monetize it, or to perform other nefarious activities, that customers are obviously interested in avoiding. For example, the public policy that underpins our respective customers interest in privacy will only increase over time.

The more we are surveilled, watched, tracked, etc. the more our desire for privacy will increase. A desire for privacy is a visceral reaction to some semblance of quietude and repose that all human beings need when we are bombarded with thousands of messages each day demanding our attention. The organizations that can seamlessly provide us with privacy as part of their value proposition are likely to attract our loyalty-all other things being equal.

3. Illusion of Taking Charge

Unfortunately, although we all understand that a successful HIPAA Compliance Initiative ("HCI") cannot proceed without the executive management team's ("EMT") participation, the latter cannot take the lead role in running the initiative. The reason for this may not be obvious on its face. Compliance officers quickly realize the dilemma of having been thrust into "the belly of the whale." An HCI is much more complex and time consuming than almost everyone expects, even when you expect it to be a full time job. This is especially true when your organization is trying to launch its HCI. The EMT, if they are busy doing what they should be doing, they generally do not have the bandwidth to take on this job; no matter how good their intentions. This is a job for professional compliance officers.

That said, there are always exceptions. Where we tend to find these exceptions the most are small boutique business associates where HIPAA compliance is the difference between winning a piece of business or not even being included in the game. Here the EMT clearly understands what HIPAA compliance means to their value proposition and embrace compliance as they would any other revenue generation opportunity.

4. Fixation on Events

We are too focused on the short term, which prevents us from seeing long-term patterns of change that are the cause of the immediate events. This is especially true when an organization experiences a breach. The focus tends to be on "responding to the event" instead of focusing on root causes and systemic failures. In addition, this event focus often precludes any real change in the organization's compliance DNA, reverting back to business as usual as soon as the event has been "handled."

5. Delusion of Learning from Experience

People seldom directly experience consequences of their decisions. For example, breaches generally don't happen often enough for an organization to develop deep institutional knowledge from the lessons learned. Further, often the lessons learned are not the right ones. Blame is generally assigned to individuals instead of the organization's HCI writ large. The bottom line is that systemic risks require systemic solutions. We are not convinced that "systems thinking" has permeated the business culture to the extent required to manage systemic risks. Remember, "systems thinking" is not the same thing as "throwing technology at a problem." A system is much broader in scope than the technology that underpins it. As non-trivial as that technology may be, it is usually the "people" part of the system that poses the most difficulty. Problems that encompass systemic risk are by definition wicked problems, because they inherently contain more organizational complexity than technical complexity.

The anecdotal evidence is that the healthcare industry, writ large, appears to have learned little from the historic breaches that have already occurred and from reputation damage from being listed on HHS' Wall of Shame. Many reasons have been posited for healthcare's learning disability. The one that we have settled on is that for historical reasons (in no small part due to academic training), the industry views itself more as a group of "clinicians" rather than as "business people." In part this dichotomy has persisted because healthcare, as practiced in the U.S., is a business like none other.

Pricing transparency does not exist.

There is no easy way to compare quality between providers.

Very little accountability to patients (i.e. primarily because the latter are generally not the "payers") for quality outcomes (fee-for-service is still king).

We could go on but you get the picture. For good reason, almost all senior healthcare executives are doctors. Therefore, there is very little mixing of business DNA from other industries. The healthcare industry is a beast unto itself.

6. Myth of the Management Team

We tend not to work together but rather fight over turfs and avoid doing anything that risks looking bad. We are not competent to discuss whether there is more turf wars in healthcare than in other industries. However, we can say that the management team's that we have interacted with understand very little with respect to how privacy and security should be incorporated into the organization DNA. Most tend to view compliance as this "bolt on" necessary evil that simply needs to be managed. Few management teams understand that in the 21st century cybersecurity (i.e. both privacy and security combined) must be an inherent part of the organization's value proposition done on behalf of patients. Ah, but therein lies the problem, ask any healthcare management team who their customers are and they may say "patients" out of political correctness, but the reality on the ground is far different. Their "customers" are generally insurance companies or large employers. Why? Because the latter pay the $$ that keep the wheels of healthcare turning.

7. Parable of the Boiling Frog

We tend not to notice or are unwilling to notice threats that rise gradually which results in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable happens. This fails to move the needle for the practice next door. In that practice another frog is starting to boil.

Conclusion

According to the book, it is no longer sufficient for an organization to rely upon just one person to learn for the organization (if it ever was). A successful business is one that can effectively develop the capacity for members to learn at all levels of the organization. A learning organization requires its members to be open to new ideas, be able to communicate effectively with each other, understand the organization, form a vision shared by all members and work together to achieve that vision.

Although, the book's conclusions sound like yet more platitudes, given that we all become somewhat jaded by the "vision thing;" it certainly rings true with what's required to change an organization's DNA pursuant to privacy & security. If not, it is likely to continue "raining breaches" for the foreseeable future.

As technology advances and legislation changes, HIPAA email compliance can seem like a constantly moving target. With the challenges facing today’s healthcare landscape, including the proliferation of electronic health records (EHRs) and health information exchanges (HIEs), hackers and “hacktivists” targeting hospitals and the adoption of cloud and mobile technology in healthcare, HIPAA compliance is becoming more challenging — and more important — than ever.

Much has changed since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The World Wide Web was still relatively new, mobile phones were relatively rare (and great for your biceps!) and your health data was divided into thick manila folders stuffed with paperwork. Now, all that stands between patients and the entirety of their medical histories is a username and a password, and a startling number of those passwords is “password.”

The Challenge of Protecting Patient Data

When most of us think about HIPAA compliance, we think about its access control aspect — that is, who gets access to protected health information (PHI), and when. A leak of PHI can be as simple as a medical professional forgetting to log out of their portal, and leaving patient data open on the desktop to be viewed by anyone walking by (this is why automatic logout is one of the “technical safeguards” required to maintain HIPAA compliance).

When it comes to protecting PHI, the penalties add up fast — and since the passing of the 2009 Recovery Act, violating HIPAA has only grown more expensive. Each individual violation will run your business anywhere from $100 to $50,000, if it’s a first offense (and a lack of due diligence, as opposed to willful neglect). Violations due to willful neglect, however, cost a covered entity a minimum of $50,000 per violation. And when you consider how many patients have their data stored on a single server, those $50,000 violations stack up fast.

Doctors, hospital administrators, insurance professionals and anyone who deals with PHI need to be aware of the growing threats to patient privacy and be proactive with their information security. Here are six ways to lock down patient data and stay ahead of the threat.

1. Use strong data encryption.

Any PHI data you’re storing, whether it be on your desktop, on a server or in the cloud, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decrypt it. As proven by the 2014 CHS Heartbleed attack, which resulted in the theft of 4.5 million social security numbers from one of the largest hospital groups in the United States, cybercriminals have both the desire and the means to crack into hospital servers and steal sensitive data. With encryption, that data is still protected even after hackers get their hands on it, provided they weren’t able to also steal the encryption key.Data encryption isn’t just best practice for information security, though — it’s a written requirement to maintain HIPAA compliance. Established in 2009, the HIPAA Breach Notification Rule gives businesses 60 days to notify all parties who may be affected by a leak of “unsecured protected health information.” Here, “unsecured” is another way of saying “unencrypted.”The HHS actually goes into detail about its encryption standards for data at rest and data in motion. For data at rest (data that sits in storage), for example, the HHS’ standards are consistent with those of the National Institute of Standards and Technology (NIST), and include centrally managing all storage encryption, using multi-factor authentication for encryption solutions and using the Advanced Encryption Standard (AES) for encryption algorithms.

2. Encrypt your emails, as well.

A tremendous amount of PHI is exchanged over email, and HIPAA compliant email requires encryption, too. In a post-HITECH (Health Information Technology for Economic and Clinical Health) world, the data shared digitally between doctors and their patients can be extremely useful for enterprising hackers, and email is a particularly vulnerable vector of attack.The traditional route hospitals and providers take for HIPAA compliant email is a portal solution that uses Transport Layer Security (TLS) to encrypt messages. While these legacy portal solutions do provide for HIPAA email compliance, they are certainly not easy for either the providers or patients who use them. Webmail portals tend to be inconvenient to use, requiring separate usernames and passwords for each and every system and creating information silos for medical information.Newer email encryption solutions bypass the annoyance of email portals by integrating seamlessly with more popular email services, like Gmail. Virtru Pro, for example, works with the service you’re already using to provide client-side encryption for HIPAA compliant email. In this case, encrypted PHI can be delivered safely and securely directly to the inbox, with no need for separate accounts or credentials. This allows for both HIPAA compliant email and convenience. (To learn more, read our FAQ about how Virtru Pro enables HITECH and HIPAA compliance for Gmail, or download our free guide)

3. Use multi-factor authentication wherever possible.

If a hacker steals your password, can they access your data? If you’re using multi-factor authentication, you may still be safe. Without multi-factor authentication, your password is a single point of failure, the only gatekeeper separating you from the data thieves.To help satisfy the Person or Entity Authentication component of HIPAA compliance, the HHS recommends that businesses handling PHI require, in addition to a password or PIN, either something the individual possesses (like a token or smart card) or a biometric (for example, a fingerprint or iris scan) for identity verification. These are both examples of multi-factor authentication, which requires a combination of something a user knows with something a user has.Anyone who has used a debit card is familiar with multi-factor authentication. Even if someone gets a hold of your card, that person can’t withdraw money at an ATM without your PIN. Requiring two separate steps to verify your identity makes it doubly hard for someone to gain access to your money (or your data) by posing as you.

4. Make all of your employees HIPAA compliance experts.

One of the standards HIPAA lists among its Administrative Safeguards is Security and Awareness Training. Any business is only as secure as its least vigilant employee. All it takes is one tired worker uploading notes to their personal cloud, or leaving handwritten passwords in open spaces, to violate HIPAA compliance laws. It’s essential to make sure that every employee is thoroughly trained and refreshed in HIPAA and HITECH regulations, as well as your company’s security policies.While many of the technical safeguards that protect HIPAA compliance are automated, like timed session logouts and password complexity requirements, nothing can replace thorough training and adequate knowledge sharing when it comes to strengthening your security posture.

5. Review the compliance and security practices of business associates.

When it comes to HIPAA compliance, you can’t just tidy up shop internally. As with its employees, a company is also only as compliant as its least secure partner/vendor/contractor, and every business your hospital, private practice or insurance company partners with is a potential vector for attack or HIPAA violation.There are a few precautions any HIPAA-covered entity should take when it enters into a business associate agreement, including securing the right to audit the associate for compliance. Lay down ground rules for HIPAA compliance best practices, including a mutual obligation to encrypt any shared PHI, and ensure that your business associate can’t pass PHI from your patients on to subcontractors without your approval. This includes using only HIPAA compliant email to exchange PHI.

6. Be aware of social engineering and inside threats.

While usually, the leak of PHI is simply an act of user error or negligence, many data leaks are caused by malice — both from the outside and within. While many infosec efforts are directed at the stereotypical hacker, hiding in the shadows in a musty basement cracking into a distant server, 28 percent of security incidents come from within the organization, and 66 percent of malicious hacks are acts of social engineering, a method of intrusion that relies on social manipulation.Social engineering can be as simple as someone walking into a hospital dressed like a convincing repair person, sneaking in a thumb drive and leaving with sensitive PHI. Make sure your internal security audits address these scenarios, as well as insider data threats.

Between legislation and technological advances, healthcare in the United States has recently undergone a dramatic transformation. It’s vital that healthcare providers and other covered entities keep pace with these changes. While it isn’t necessary to be an infosec expert or a white hat hacker, doctors, nurses and administrators should know the law, know the threats and keep vigilant to protect the privacy of their patients and the HIPAA compliance of their practices.

Before discussing the unique case of Gmail, we should first understand what makes an email HIPAA compliant. If you’re looking for a way to prove HIPAA compliance, read this blog post first.

The Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA, is a set of compliance rules in the Healthcare industry. HIPAA consists of 3 main parts; The Privacy Rule, The Security Rule and The Breach Notification Rule.

The Privacy Rule protects individually identifiable health information. The Security Rule provides standards for electronic Protected Health Information (PHI). The Breach Notification Rule stipulates the way and timeliness individuals affected by the breach have to be contacted.

PHI should be looked at as an equation: Identifiers + Health Information. Identifiers can include Name, SSN, and Email, whereas health Information includes attributes medications, clinical notes and insurance.

Since traditional email was merely meant to connect people, it was built with message delivery as the top priority, in some respects leaving security as an afterthought. While this was beneficial in the early days of email, it means that the first generation of email systems were ill-equipped to protect sensitive patient information.

In most cases, making an email HIPAA compliant means making sure that the message is encrypted from one inbox to another and not delivered in clear text. Unencrypted emails is not only a security risk but, also a risk for a HIPAA violation fine for healthcare providers.

The Difference Between G Suite (Google Apps) and Gmail for HIPAA Compliance

When it comes down to compliance capabilities, it is important to note that Google offers two separate email products: Gmail and G Suite. Gmail targets personal email addresses. G Suite (formerly Google Apps) targets business email accounts and is meant to be used alongside an owned domain. Gmail is a free service and is associated with the @gmail.com email addresses. G Suite is a paid service.

Another very important distinction is the ability to acquire a Business Associate Agreement (BAA) for an email account. Google is willing to sign a BAA with your organization if you are using G Suite. However, if you are using a gmail account Google does not offer BAAs.

But even if you use G Suite becoming compliant doesn’t stop at a BAA. Google is willing to sign a BAA for some, but not all of their services. Additionally, G Suite only encrypts email at rest and in transit, but not necessarily all of the way to the recipient’s inbox. This means in the last step an email may still be delivered as clear text, leaving it vulnerable to be stolen. This is certainly not ideal for any emails transmitting PHI.

Your Patients

Google, by far, is the most utilized personal email option. Because of this, it is safe to assume that the majority of your patients are using gmail for their personal emails. Google has admitted that users’ emails are “subject to automated processing.” Or in other words, Google scans your emails for keywords for advertising retargeting to you and your contacts. If you are corresponding with a patient via their gmail account, how do you think they would feel realizing Gmail is exposing their health information to Google?

To Put It Simply

Gmail is not a HIPAA compliant solution.

If your organization needs to meet HIPAA regulations, using Gmail for work is not compliant. You are leaving yourself vulnerable to fines because your patients’ PHI is being scanned by a third party without your patient's’ consent or knowledge.

Email is everywhere, and it’s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing. In medicine, approximately 50% of patients either use or want to use email to contact their healthcare providers, and about a third of clinics are actually making it possible for them to do so.

Email, however, was invented well before either HIPAA or our society’s modern appreciation for the importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on healthcare communication, which turns the situation into a powder keg.

In short, email in medicine can be a HIPAA disaster. But it doesn’t have to be.

Let’s talk about the problem and what you can do to solve it.

What HIPAA Compliance Demands from Email

If your healthcare activities are covered by HIPAA and you want to use email to store or transmit protected health information (PHI), then two important sections of the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.

We’ve discussed these rules before in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while the Security Rule provides additional regulations for PHI that is in electronic form (ePHI).

The HIPAA Privacy Rule and email

When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with specific guidance. Here’s a snippet of their position:

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).

Sounds like great news! For reference, the 45 CFR § 164.530(c) that they referenced is just a citation for a section of the actual HIPAA regulations, and it simply requires that you “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

Of course, when it comes to email, the definition of an “appropriate technical safeguard” becomes important. HHS weighs in on this, as well:

Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

So that brings us to the Security Rule…

The HIPAA Security Rule and email

The 45 CFR Part 164, Subpart C, which HHS referenced above is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we’re going to assume that you already have a functioning HIPAA compliance program in place, and we’ll spend this section highlighting just a few key regulations that are especially important when it comes to email. If you need a more thorough rundown on the Security Rule first, check out our earlier complete guide to HIPAA compliance.

Within the Security Rule, much of the important technical guidance shows up in 45 CFR § 164.312, a section on “technical safeguards.” Let’s take an abridged look at some of this section’s requirements as they apply to email:

Access controlOnly those people with appropriate access rights should be able to access ePHI. This means that you should use strict security measures for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider’s server and travel across the Internet; if they are unencrypted, then you can’t control access to them as they pass through other servers.

Unique user identification and identity verificationUsers on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every person sending or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.

Data integritySystems must protect ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.

Encryption and decryptionA mechanism should be used to encrypt and decrypt ePHI. Basic email does not employ encryption.

Transmission securityTechnical measures must guard against unauthorized access to ePHI that is being transmitted. Basic email transmission protocols include no guarantee of secure transit.

HIPAA Breach Media Notices

If the HIPAA breach affects more than 500 residents of a State or jurisdiction, in addition to notifying the affected individuals, a press release must be provided by the covered entity (CE) to appropriate media outlets serving the affected area. Media notices must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. The media notice must include the same information required for the individual notices.

HIPAA Breach Disclosure to the HHS Secretary

The HIPAA Breach Notification Final Rule requires covered entities to provide the Secretary of HHS with notice of breaches of unsecured protected health information (45 CFR 164.408). The number of individuals affected by the breach determines when the notification must be submitted to the Secretary. Covered entities must notify the Secretary by visiting the HHS website filling out and electronically submitting a breach report form.

HIPAA Breach affecting 500 or more Individuals

If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach. This notice must be submitted electronically.

HIPAA Breach affecting fewer than 500 Individuals

For breaches that affect fewer than 500 individuals, a CE must provide the Secretary with a report annually. All disclosure notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred. The notice must be submitted electronically. A separate form must be completed for every breach that has occurred during the calendar year.

When a covered entity has submitted a breach notification form to the Secretary and discovers that there is additional information to report, the CE can submit an additional form, checking the appropriate box for an updated submission.

The Burden of Proof

CEs and BAs have the burden of proof to demonstrate that all required HIPAA Breach disclosures have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. The covered entity must also comply with several other provisions of the Privacy Rule with respect to breach notification. For instance, CEs must have written policies and procedures, and must develop and apply sanctions against workforce members who do not comply with these policies and procedures.

There are HIPAA Breach Exceptions

There are three exceptions to the definition of “breach:”

Unintentional acquisition, access, or use of protected health information by a workforce member or a person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith and within the scope of the person’s authority.

Inadvertent disclosure of protected health information by a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA, or at an organized health care arrangement in which the covered entity participates. In both cases the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

CEs must be prepared to defend their decision to claim an exception to the breach definition, so keep the documentation that supports your decision!

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions. Recently, email has become even more accessible with the introduction of the smartphone. However, leave it to healthcare to throw a curve ball to this cozy relationship. The fact is, HIPAA and email have long been at odds.

HIPAA Privacy and Security rules are concerned with email and the web in general

Across the board, healthcare providers are increasingly

using, or

are considering using, or

are being asked to use,

email to communicate with patients about their medical conditions. If you find yourself described here, then it bears repeating that the Internet, and things like an email sent over the Internet, is not secure. Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed. And it’s that “possibility” that becomes the area of focus.

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc. But what is considered reasonable? The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page. Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

What if a patient initiates communications with a provider using email? The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

Email communications are permitted, but you must take precautions;

It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);

Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and

Providers must take steps to protect the integrity of information and protect information shared over open networks.

Are Emails HIPAA Compliant?

HIPAA compliance for email has been a hotly debated topic since changes were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant(*).

Some HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. However, HIPAA email rules do not just cover encryption. Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.

Furthermore, some required functions – such as the creation of an audit trail and preventing the improper modification of PHI – are complex to resolve. So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.

(*) HIPAA compliance for email is not always necessary if a covered entity has an internal email network protected by an appropriate firewall.

HIPAA Email Encryption Requirements

HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

As previously mentioned, encryption is only one element of HIPAA compliance for email, but it will ensure that in the event of a message being intercepted, the contents of that message cannot be read, thus preventing an impermissible disclosure of ePHI.

It should be noted that encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. That means encryption is not ‘required,’ but that does not mean encryption can be ignored. Covered entities must consider encryption and implement an alternative, equivalent safeguard if the decision is taken not to use encryption. That applies to data and rest and data in transit.

A covered entity must decide on whether encryption is appropriate based on the level of risk involved. It is therefore necessary to conduct a risk analysis to determine the threat to the confidentiality, integrity, and availability of ePHI sent via email. A risk management plan must then be developed, and encryption or an alternative measure implemented to reduce that risk to an appropriate and acceptable level. The decision must also be documented. OCR will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.

Encryption is an important element of HIPAA compliance for email, but not all forms of encryption offer the same level of security. Just as the method of encryption is not specified in HIPAA to take into account advances in technology, it would not be appropriate to recommend a form of encryption on this page for the same reason. For example, a covered entity could have used the Data Encryption Standard (DES) encryption algorithm to ensure HIPAA compliance for email, but now that algorithm is known to he highly insecure.

HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally change, so it is important to check NISTs latest guidance before implementing encryption for email. NIST has published SP 800-45 Version 2 – which will help organizations secure their email communications.

How Secure Messaging Resolves Issues with HIPAA Compliance for Email

Secure messaging is an appropriate substitute for emails as it fulfills all the requirements of the HIPAA Security Rule without sacrificing the speed and convenience of mobile technology. The solution to HIPAA compliance for email uses secure messaging apps that can be downloaded onto any desktop computer or mobile device.

Authorized users have to log into the apps using a unique, centrally-issued username and PIN number that then allows their activity to be monitored and audit trails created. All messages containing PHI are encrypted, while security mechanisms exist to ensure that PHI cannot be sent outside of an organization´s network of authorized users.

Administrative controls prevent unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an app has not been used for a predetermined period of time, and allowing the remote deletion of messages from a user´s device if the device is lost, stolen or otherwise disposed of.

The Benefits of Secure Messaging

The primary benefit of secure messaging when compared to email is the speed at which people respond to text messages. Studies have determined that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unopened for forty-eight hours.

The communications cycle is further accelerated by the mechanisms to enforce message accountability. These significantly reduce phone tag, allowing employees more time to attend to their duties. In a healthcare environment, this means less time waiting by a phone and more time providing healthcare for patients.

This acceleration of the communications cycle also reduces the time it takes to admit or discharge a patient, how long it takes for prescription errors to be resolved, and the length of time it may take for invoices to get paid. Ultimately, secure messaging is a lot more effective than email, and less trouble to implement than resolving HIPAA compliance for email.

Encrypted Email Archiving for PHI

Inasmuch as the implementation of a secure messaging solution is an appropriate alternative to email, covered entities are required to retain past communications containing PHI for a period of six years. Depending on the size of the covered entity, and the volume of emails that have been sent and received during this period, the retention of PHI can create a storage issue for many organizations. The solution to this potential problem is encrypted email archiving for PHI.

Vendors providing an email archiving service are regarded as Business Associates, and have to adhere to the same requirements of the HIPAA Security Rule as covered entities. Therefore, their service has to have access controls, audit controls, integrity controls, and ID authentication in order to ensure the integrity of PHI. In order to comply with HIPAA email rules on transmission security, all emails should be encrypted at source before being sent to the service provider’s secure storage facility for archiving.

The biggest advantage of encrypted email archiving for PHI is that, as the emails and their attachments are being encrypted, the content of each email is indexed. This makes for easy retrieval should a covered entity need to access an email quickly to comply with an audit request or to advance discovery. Other advantages include the releasing of storage space on a covered entities servers and that encrypted email arching for PHI can be used as part of a disaster recovery plan.

2016 was a record-breaking year for healthcare data breaches affecting 500 individuals or more, with the Office for Civil Rights (OCR) reporting a 22% increase year-on-year. Compared with five years ago, this increase is more significant still at 66%. It’s too early to tell whether 2017 will be better or worse for data breaches, but it remains a fact that HIPAA compliance issues will always be high on healthcare organizations’ agendas – regardless of size or stature.

With OCR’s phase 2 audits currently in full swing, there’s no better time for healthcare professionals to reassess their organization’s HIPAA policies in accordance with its privacy and security rules. Maintaining a HIPAA compliant organization is a challenge at the best of times – particularly with the rapid growth of mobile and BYOD in recent years – but as the following points demonstrate, there’s more to HIPAA than meets the eye.

1. HIPAA goes beyond healthcare industry

The definition of a covered entity as defined by HIPAA is somewhat ambiguous and therefore open to misinterpretation. It’s often assumed the rules only apply to businesses that directly provide health services – such as hospitals, physician practices, clearinghouses etc. – when in reality, many other industries are affected too.

Complications are likely to arise if an organization believes it doesn’t need to concern itself with HIPAA compliance, as illustrated in the 2015 Verizon Protected Health Information Data Breach Report. It linked around 20 different industries to a protected health information (PHI) data breach, including manufacturing, retail and education.

2. Business Associates and conduit exception rule

Any organization or individual that creates, receives, maintains or transmits PHI on behalf of its service delivery to a covered entity is classed as a Business Associate (BA). Covered entities should have a Business Associate Agreement (BAA) in place with each of their BAs, and if a BA uses subcontractors for their services, a BAA should be executed with them, too.

Complications emerge when a BA claims to be a “conduit for information”, citing the conduit exception rule, to get out of signing a BAA. It’s vital covered entities understand the conduit exception rule only applies to a few organizations, such as the United States Postal Service, internet service providers (ISPS) and couriers. If any organization that creates, receives, maintains or stores PHI won’t sign a BAA, questions should be asked about their commitments to HIPAA compliance.

3. When PHI isn’t PHI

In a process known as de-identification, health information that has particular identifiers removed in accordance with Section 164.514(a) of the HIPAA Privacy Rule is no longer classed as PHI and can therefore be made publicly available. The National Center of Health Statistics is one such example of a data source that publishes de-identified health information.

Complete de-identification of PHI is a mammoth task to carry out. Any organization that wishes to make health information publicly available should appoint an expert to manage the process for them, as getting it wrong would likely have grave consequences. Even if managed properly, there is an overarching risk the data in question could be found to link back to the individual it relates to.

4. Addressable isn’t the same as optional

To help ensure the confidentiality of patient information and prevent a data breach, HIPAA outlines physical, administrative and technical safeguards. The technical safeguards are broken down into six standards focused on the technology that protects and controls access to PHI. Under these six standards, there are nine key areas organizations are required to implement.

However, the classification of these standards are split into two categories “required” and “addressable”. Any covered entity or BA that doesn’t pay attention to the addressable standards is opening itself up to fines for noncompliance and an increased risk for breaches. To confirm, addressable doesn’t mean optional.

5. HIPAA penalties

Failure to comply with HIPAA can result in both civil and criminal penalties. Civil penalties are monetary, varying from $100 to $1.5 million, and enforced by OCR. Criminal penalties can result in imprisonment for 10 years or more, as enforced by the U.S. Department of Justice.

With laws differing from state to state, there’s often confusion around the criminal charges, fines and prison sentences an individual might be up against for noncompliance. These discrepancies are heightened by the fact some, but not all state and federal laws, allow individuals to sue in court for privacy violations, which can lead to additional fines or damages awards.

For covered entities and their BAs, particularly those who operate across multiple states, understanding the rules of HIPAA is just the tip of the iceberg. The consequences of noncompliance that lie below this surface can be crippling.

6. Digital and electronic signatures

An electronic signature is the action of signing electronically during a digital transaction, while a digital signature is the underlying technology that helps verify the authenticity of the transaction.

Used correctly, the security benefits of these technologies can help organizations to maintain compliance of the Security Rule through:

protecting the integrity of messages throughout their entire lifecycle, through digital encryption

providing user authentication, helping to ensure sensitive information doesn’t end up in the wrong hands, and

ensuring non-repudiation (assurances that a person who signs something cannot later deny that they furnished the signature) by providing digital audit trails.

However, OCR offers very little guidance on the topic of digital and electronic signatures and their use certainly doesn’t ensure HIPAA compliance. Organizations should assess every situation with caution, and use digital signatures as an additional security measure where appropriate.

1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.

2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies.

3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk.

4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email.

5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it.

6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures.

7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients,that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule.

8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates.

9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.

10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.

These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.

Understanding your need for a HIPAA risk assessment is one of the best ways that behavioral health practices can defend against HIPAA fines.

In order to be HIPAA compliant you must address all elements of the law, but one of the most essential places to start is by fulfilling your mandatory HIPAA risk assessments. But how do you know what your HIPAA risk assessment requirements are under the law?

What’s a HIPAA Risk Assessment?

Let’s start with a simple explanation of the risk assessments required for HIPAA compliance.

A HIPAA risk assessment is an audit of your practice to assess the status of your compliance. HIPAA risk assessments give you a better understanding of the gaps that you currently have in your compliance program, so that you can build remediation plans to fix them.

HIPAA regulation outlines that you must conduct Physical, Administrative, and Technical risk assessments within your practice in order to be HIPAA compliant. These risk assessments will measure your practice against HIPAA regulatory standards.

Beyond HIPAA Risk Assessments

Once you’ve completed your risk assessments, you’ll have a clear understanding of which HIPAA standards you need to address.

Remediation plans help organize your compliance program so that you can understand where to focus your efforts to become HIPAA compliant. By completing your remediation plans with HIPAA policies and procedures, you help protect your behavioral health practice from liability in the event of a HIPAA violation in the future.

HIPAA risk assessments are only the first step among many that you need to take to become compliant with the law. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has an online HIPAA risk assessment tool that health care providers across the industry can access.

However, HHS does not have a tool for following up on these risk assessments with remediation plans, policies and procedures, employee training, documentation, business associate management, and breach management. Finding a HIPAA compliance solution to address the remainder of the federally mandated HIPAA standards should be your next step for protecting your practice from breaches and fines.

When it comes to HIPAA and ransomware, there are some key responsibilities that health care professionals have when handling an incident. Following the regulation is essential to keeping your behavioral health practice out of the headlines and mitigating the risk to patients’ sensitive health data.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release new regulation specifically in regards to HIPAA and ransomware. However, in 2016 after a string of ransomware attacks impacted hospitals and health services across North America, guidance was released about how to handle a ransomware incident should one impact your practice.

What is Ransomware?

Ransomware is a type of malware that infects your computer or network. The malicious software automatically encrypts your data, and then the hackers responsible demand a ransom in exchange for access.

Sometimes, the ransomware will even give health care providers a countdown: pay the ransom within the time allotted, or face permanently losing access to this electronic protected health information (ePHI). ePHI is any health care data that can be used to identify a patient that is stored in electronic format, such as electronic health records systems (EHRs).

How to Handle HIPAA and Ransomware

In the event of a ransomware incident, the first thing you should do is report the incident to local law authority. HHS guidance on the matter even goes so far as to include contacting the FBI, though this is only fully necessary for larger organizations such as hospital systems.

If you have reason to believe that ePHI has been accessed by the hackers, then you must also report the breach to OCR. If your organization already has an effective HIPAA compliance solution in place, then you should have full documentation in place that can prove to OCR investigators that you’ve done everything possible to prevent breaches.

Having a HIPAA compliance program in place can’t prevent a ransomware attack from occurring, but it’s your best defense against heavy federal fines in the event that a breach does occur. HIPAA fines have already reached $17.1 million in 2017 alone, which is set to outpace 2016’s record breaking $23.5 million.

Proper precautions will help you gain the best patient rapport and standing. You’ll also avoid breach-related complaints, reputational damage, hefty monetary fines, civil lawsuits, criminal charges, medical license loss, and/or imprisonment. E-Complish excels at compliance with both Payment Card Industry (PCI) and HIPAA compliance protocols. With us you can be sure client payment info and PHI remains safeguarded, but follow the eight steps below to ensure that your medical or dental facility is compliant

Run Thorough Risk Assessments

Did your medical practice adopt an electronic health record (EHR) system before clear directions specified everything it should contain? Then your office might be using a system that fails to meet HIPAA standards. Using the latest guidelines, run a thorough risk assessment on your current system. That will highlight any noncompliant areas that you need to update to fulfill your obligations. In addition, you or a HIPAA specialist must complete mandatory security risk assessments annually. Then develop detailed action plans and timelines that address all evaluated issues requiring remediation or follow-ups.

Prepare for Disasters Before They Occur

Keeping all customer data that your medical or dental facility handles safe from corruption and loss is key. Installing antivirus programs on all business computers will protect them from viruses that could corrupt or destroy files. To prevent losses due to mishaps, backup all health records frequently. Using off-site locations will stop destructive events like office fires and floods from making valuable backups irretrievable.

Develop a Policy and Procedure Manual

Create written instructions that detail how your staff should address and maintain patient privacy, confidentiality, and security. Include a HIPAA compliance overview with specific processes for patient notifications, disclosures, and relevant forms. Distribute this manual to all existing employees and new hires. Requiring them to sign and return statements that they read and understand your policies and procedures can increase conformity. Review, update, and redistribute your handbook as regulations expand and change.

Establish an Ongoing Staff Training Program

Your weakest links determine your EHR’s strength. In medical and dental offices, untrained employees make the most errors unintentionally. Staffers who fail to follow safety protocols when accessing files and records can render even a very dependable encryption system useless. That might allow unauthorized parties to gain access illegally.

Guiding new hires is just the beginning. Re-educating your entire team to adhere to vital safeguards annually will ensure data security and integrity. Everyone must recognize that protecting health information is essential. Gather staffers’ signatures, acknowledging awareness of HIPAA principles and practices. Document all employees’ names with initial and refresher course dates to verify that you’re fulfilling your ongoing commitment. Also evaluate and revise your training program as regulations expand and change.

Add Compatible and Compliant Office Equipment

All new equipment you buy for your medical or dental facility must be compatible to work well with your existing system while providing sufficient security. Make sure that all purchases include both of these crucial elements because either one alone is an ineffective mistake.

Collaborate With All Affected Internal Parties

The changes you must make to become HIPAA compliant will affect various internal personnel. Inform all involved supervisors and departments about necessary modifications to their routines. Preventing violations requires everyone’s ongoing and diligent participation.

Demonstrate Privacy throughout Your Facility

Treat your patients with the discretion they deserve everywhere from your lobby to examination rooms. Minimize personal references to specific patients by announcing just their given or surnames when calling them to the reception desk, payment windows, and doctor consultations. Providing private, quiet spaces for discussions with individuals will stop uninvolved parties from overhearing sensitive information. Always knock on closed doors before entering patients’ rooms. Never leave their files and documents visible or unsecured where unauthorized people could view them.

Post HIPAA Notices

Print notices explaining your HIPAA practices. Place them in easily noticeable common office areas. Your patients can review applicable privacy laws with information about how you’re striving to protect their health care’s confidentiality.

We recently conducted a survey of medical practices and billing companies to gauge their knowledge of HIPAA’s Privacy and Security regulations, compliance measures, and communication methods.

With the help of our partners at Porter Research and The Daniel Brown Law Group, we've created an easy-to-consume narrative explaining the various aspects of HIPAA compliance while also presenting the results in a way that's easy to understand.

The survey of more than 1,100 healthcare professionals revealed several areas of concern, including:

66 percent of respondents were unaware of HIPAA audits prior to this survey bringing it to their attention

35 percent of respondents have conducted a HIPAA-required risk analysis

24 percent of owners, managers, and administrators in small practices have evaluated all of their Business Associate Agreements

56 percent of office staff and non-owner care providers in small practices have received HIPAA training in the last year

While we noticed a trend suggesting billing companies may be doing better with compliance compared to medical practices, what we found most alarming was the consistent information gap between management and staff when handling HIPAA compliance measures.

HIPAA Compliance ResourcesAlongside the results, we've also curated a list of resources to help you learn more about the upcoming audits, how to develop a compliance plan, conduct a risk analysis, and how to ensure your electronic devices are HIPAA compliant.

When you spend a lot of time writing about HIPAA compliance and its importance for healthcare providers, you sometimes forget the bigger question: What does HIPAA compliant communicationmean for healthcare?

Yes, we know that HIPAA requires secure and encrypted clinical communication to ensure patient privacy. But is that where the argument starts and ends? Is patient privacy the only reason to embrace HIPAA compliant communication?

Turns out, there’s more to the riddle.

Why focus on secure email and secure mobile messaging

According to a 2015 study, healthcare employees use mobile messaging more frequently than voice calling for their business communication. 65 percent of healthcare respondents use email most frequently for business communication, followed by mobile messaging (22 percent) and voice calling (13 percent). The same study also reported that 91 percent of those interviewed use mobile messaging at least a few times per week.

Pagers cost over $1.7 M per year in lost productivity. As such, it is important to find alternative to make healthcare communication processes as efficient and effective as possible.

Similarly, given the prominence of email and mobile communication in healthcare, it also makes sense to remove the friction that these communication cause in terms of efficiency.

If information cannot be easily exchanged through email due to HIPAA concerns or legacy pen-and-paper processes, then the workflow is bogged down.

Why is workflow important?

Efficient clinical workflow saves time, saves money, and saves lives. And in today’s industry, workflow can have a significant effect on reimbursement. As such, effective and efficient communication is key. Practices need to be choosy.

OnPage’s smartphone-based secure messaging tool and Paubox’s mobile friendly HIPAA secure email and forms are designed with secure communication in mind as well as improved workflow. OnPage is able to improve workflow as is Paubox.

And workflow is really where it’s at.

While HIPAA compliance is important to physicians, it is not as important as their patients. Physicians focus on seeing patients and improving patient lives.

Technology that improves practitioners’ efficiency and allow them to spend more time helping patients are meaningful.

How HIPAA secure messaging trumps workflow

As noted, pagers are a huge impediment to optimal workflow in hospitals.

Most paging systems utilize single-function pagers that only allow one-way communication, requiring recipients to disrupt workflow to respond to pages. Paging transmissions can also be intercepted, and the information presented on pager displays can be viewed by anyone in possession of the pager.

However, smartphone-based, HIPAA-compliant group messaging applications improve in-hospital communication. These applications save time as physicians and nurses do not need to receive messages on their pager and then respond via cellphone.

By only using cellphone based secure messaging applications, physicians and nurses have access to secure communication while providing the information security that paging and commercial cellular networks do not.

Additionally, secure messaging technologies enable persistent alerting that ensures messages aren’t dropped, missed or forgotten. By ensuring that messages are not lost, administrators do not need to waste time following up on sent messages.

How secure email and forms improve workflow

A doctor or practitioner must encrypt their emails when they communicate protected health information via email.

Unfortunately, most encrypted email providers use a portal to gate communication. Portals can make recipients take up to five extra steps just to view any messages. It also makes the experience of reading email on a mobile device cumbersome.

Not being able to send and receive emails quickly and easily can significantly bog down workflows.

When it comes to forms, online forms reduce the time patients spend in the office and make the process of patient engagement much more fluid.

Having web forms enables patients to enter their information online and include attachments such as photos or documents, then send in their forms directly to their healthcare provider’s inbox via a HIPAA compliant email provider like Paubox.

Electronic forms make archiving these documents much easier than their paper counterparts as well.

Conclusion

Overall, healthcare cannot ignore the importance of HIPAA compliance; however, healthcare technology also needs to focus on improving the workflow of physicians and practitioners.

As a healthcare provider or practitioner, you need to look for solutions that make communication more efficient.

Choosing an effective HIPAA compliance solution for your health care business is essential in defending against HIPAA breaches and fines.

There are many software solutions on the market that give healthcare professionals the ability to address their HIPAA compliance. But when it comes to finding an effective HIPAA compliance software for your practice, it can be difficult to parse the differences between your options.

To help narrow your choices, we’ve put together this guide to give you a sense for the bare-bones essentials that will keep your practice safe in the event of a HIPAA audit.

What should effective HIPAA compliance software include?

1. Self-Audits, Security Risk Assessment

HIPAA compliance software must give you the ability to audit your practice against the HIPAA rules. These audits give you a baseline assessment of the security and privacy measures you already have in place and how they compare to the HIPAA standards.

Security Risk Assessments are also a mandatory component of HIPAA compliance.

Most HIPAA software solutions will give you the ability to complete your Security Risk Assessment, but don’t follow through on remaining HIPAA requirements. Keep in mind that incomplete software solutions will leave your practice exposed to HIPAA breaches and fines, even with a Security Risk Assessment in place.

2. Remediation Plans

Any effective HIPAA compliance software must allow your practice to create remediation plans in response to the gaps uncovered by your self-audits and security risk assessment. Remediation plans are an essential part of becoming HIPAA compliance because they provide the government with proof that your practice has performed due diligence.

A good HIPAA compliance software should give your organization the ability to document and retain all components of your remediation plans with an area for notes and important details tailored to the specific steps taken to remediate your practices’ gaps.

3. Policies, Procedures, Employee Training

One of the essentials of any HIPAA compliance program is a robust and unique set of HIPAA policies and procedures. It’s especially important that the HIPAA compliance software you choose gives you the ability to create, customize, and apply policies and procedures in your practice.

Policies and procedures are the infrastructure around which the rest of your compliance program will be built. The HIPAA Rules outline specific standards for privacy and security that must be implemented, and your organization’s policies and procedures should correspond with all applicable standards.

HIPAA policies and procedures must be updated annually to account for any changes in the running of your organization—an effective HIPAA compliance software should send your reminders or give you support to ensure you meet these annual deadlines and avoid common HIPAA violations.

Once you’ve adopted and applied your policies and procedures, all staff members must be trained on them annually. They must legally attest that they’ve read and understood the policies and procedures of your organization. An effective HIPAA compliance software should have modules for employee training, in addition to documentation capabilities to keep employee attestation stored for at least six years, as mandated by HIPAA.

4. Documentation

Documentation is the most important aspect of any HIPAA compliance program. Without proper documentation of your compliance efforts, your practice will not be able to properly defend itself in the event of a HIPAA audit.

An effective HIPAA compliance software should be able to create documentation for each and every step of your compliance program. This documentation must be retained for at least six years in order to adhere to federally mandated HIPAA standards, and your HIPAA software should be able to maintain these records on your behalf.

5. Business Associate Management

HIPAA regulation requires health care professionals to execute contracts with their health care vendors before they share health care data. These contracts are called Business Associate Agreements (BAAs), and they’re meant to protect your practice from liability in the event of a breach caused by a health care vendor.

An effective HIPAA compliance software should come included with pre-vetted Business Associate Agreements, in addition to a means for properly storing them once they’ve been executed and signed. Because Business Associate Agreements must be reviewed annually, HIPAA compliance software should also allow users to easily review stored files to make necessary changes and avoid HIPAA violations caused by out of date or missing BAAs.

6. Breach/Incident Management

The final component of an effective HIPAA compliance software we’ll discuss is Incident Management. Any time a healthcare organization experiences a data breach, that breach must be tracked, documented, investigated, and reported to HHS OCR.

An effective HIPAA compliance software should give users the ability to track and document all stages of a data breach or incident investigation. In the event that the data breach spurs an OCR HIPAA investigation, the affected organization must be able to demonstrate the steps they’ve taken in the aftermath of a breach.

Once again, documentation is key here, not only because it’s legally required by the HIPAA Breach Notification Rule, but because it’s essential to protecting the affected organization from ensuing HIPAA fines.

Why should you choose a total HIPAA compliance software?

Choosing a total HIPAA compliance software gives your practice a way to handle HIPAA right the first time around. Piecemeal, self-serve software solutions waste time and don’t give your practice everything needed to become HIPAA compliance. Without a HIPAA compliance software that addresses each of the HIPAA standards listed above, your practice could be at risk of incurring serious HIPAA fines.

HIPAA enforcement has ramped up significantly in recent years, now totaling more than $46 million since 2015 alone.

Protecting your practice and your reputation from HIPAA breaches and fines is easier than ever before, especially with total HIPAA software solutions that work for you.

A HIPAA compliance checklist is the tool to turn to when imposing sanctions on employees for HIPAA privacy breaches. It may feel like a never-ending and thankless task, but consider the alternatives. It can be tempting to adopt a “no harm, no foul” approach to employee sanctions. But this is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things. To that end, your HIPAA Compliance Checklist must also address employee sanctions.

HIPAA is all about protecting PHI

There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI. And these penalties are imposed even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred.

The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule. Even in a ransomware attack, an organization could reasonably conclude there is a low probability that the PHI has been compromised. But if it cannot reach that conclusion, it is required to comply with the applicable breach notification provisions. And this is the case even if there is no evidence that the PHI was viewed by anyone else.

An employee of Cancer Care Group of Indianapolis left unencrypted back-up media in a bag in a car; the car was broken into and the bag stolen. There was no evidence that any information was ever disseminated, but the OCR imposed a penalty of $750,000 on the group.

In 2014, the OCR imposed a fine of $400,000 on Idaho State University for a breach of unsecured ePHI. This was because the school had left its firewalls disabled for over 10 months! Again, there was no indication PHI was accessed by any unauthorized persons; it was simply not protecting its PHI.

These are just a few examples of settlements, some involving employees failing to follow procedures, or where there were no procedures at all. In these case, penalties were imposed but no information was shown to have been accessed by unauthorized parties.

It is certainly possible to have an unauthorized disclosure that is not a reportable breach. The definition of a breach is the acquisition, access, use or disclosure of protected health information. This is done in a manner not permitted under the regulations. And the disclosure compromises the security or privacy of the protected health information.

These days, employees are often the source of breaches. They include events from lost laptops to including PHI in social media posts occurring almost daily. It is very important to include a policy on employee sanctions in your HIPAA Compliance Checklist. An employee sanctions policy can and should take into account the potential harm from the unauthorized disclosure. But a “no harm, no foul” approach may leave the organization open to penalties by the OCR.

A HIPAA compliance checklist for employee sanctions policies should address several issues

The policy should reference Section 164.530 of the Administrative Requirements, which requires covered entities to have and apply appropriate sanctions against members of their workforce.

Section 6102(b)(4)(F) of the Affordable Care Act also requires that the standards be consistently enforced through disciplinary mechanisms.

Most policies utilize a Level system, tying the action of the employee and the effect on unauthorized disclosure of PHI to the sanction recommended. Levels could start from situations where an employee did not follow procedures, but there was no unauthorized disclosure of PHI. Levels usually top out at situations where the actions were malicious and willful, causing harm or intending to cause harm to the patient.

Mitigating factors may be enumerated, and repeated patterns of violation may result in a higher level of discipline.

Employee Sanctions should be standardized

Organizations usually strive to administer most disciplinary policies in a consistent, standardized way. Employee sanctions for HIPAA violations are no different. Inconsistent application can carry consequences ranging from confusing messages to erosion of public trust to vulnerability to penalties and fines.

One way to increase standardization of disciplinary actions is to develop a grid, matching the riskiness of the actions to the level of sanction.

The HIPAA regulations explicitly require organizations to have and apply appropriate sanctions against workforce members who fail to comply with the privacy policies and procedures of the organization. While sanctions can be related to the incident and the potential harm, they also need to demonstrate that the organization is taking seriously its responsibility to protect the privacy of patient information – even when there is no evidence of unauthorized disclosure or when the breach is not reportable.

HIPAA Violation rocks hospital! An employee at St. Charles Health system accessed over 2400 patients’ medical records over a two-year period because they were curious. We all know that curiosity killed the cat and now it may have direr consequences for this curiosity seeker and the hospital system.

HIPAA Violation without intent to commit fraud

The employee who viewed the protected health information (PHI) without a legitimate reason to do so is in jeopardy of large civil fines, loss of their respective clinical license and criminal prosecution. Not to mention termination from their present position. The hospital system has to repair its damaged reputation while at the same time prepare to defend itself against potential civil/criminal lawsuits. There are too many incidences were an organization is liable for HIPAA violations, even though they “didn’t do it”.

Now the local District Attorney has taken interest in this matter and is launching a criminal investigation. Under the HIPAA statute there is no individual right of action, however, the Attorney General of the state where the infraction took place may file charges on the individual(s) behalf.

The aforementioned employee signed an affidavit stating that the HIPAA violation they committed, and any of the information they accessed was not to commit fraud, however, that did not halt the criminal investigation.

Hospital employee viewing PHI

This real-life incident demonstrates how healthcare providers and their employees can face serious trouble for viewing records inappropriately. Just remember this incident when you want to be inquisitive about a patient that you are not treating or accessing a patient’s medical records for no business purpose.

When performing your job function, it is not a HIPAA violation if you release and/or access a patient’s PHI for treatment, payment or health operations (TPO). When accessing and/or releasing a patient’s PHI, ask yourself does this fall under the TPO exceptions? If it does, then you should just release the minimum information necessary to complete the task and if it does not, then you may need an authorization signed by the patient or his/her representative. In the event you are unsure if you can release and/or access a patient’s PHI, contact your supervisor or your organization’s Privacy Officer.

Finally, this violation reaffirms the need to conduct a HIPAA Risk Analyses, including monitoring the privacy/breach rule. Use your policies and procedures for efficient and effective training, auditing and monitoring.

HIPAA Breach Notification Rules under the HITECH and GINA Act were issued on January 25, 2013, resulting in modifications to HIPAA Privacy, Security, and Enforcement. This is commonly known as the Omnibus Rule. The Omnibus Rule mandates covered entities (CEs) and business associates (BAs) provide the required HIPAA breach notifications following an impermissible use or disclosure of protected health information (PHI).

What is a HIPAA Breach?

A HIPAA breach notification may be required because of an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) of an individual. An impermissible use or disclosure is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the protected health information has been compromised.

A risk assessment must include consideration of at least the following factors:

The extent and nature of the PHI involved (i.e. types of identifiers and likelihood of re-identification);

The unauthorized person who used the protected health information or to whom the disclosure was made;

If the PHI was viewed and/or acquired;

To what extent the risk to the PHI has been mitigated.

How Does a HIPAA Breach Notification Work?

(1) HIPAA Breach Notification Rule: Following a breach of unsecured PHI, CEs must notify affected individual(s) and the Secretary of Health and Human Services (HHS).” In instances where the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to prominent local media. In addition, BAs must notify CEs that a breach has occurred.

Individual HIPAA breach notifications must occur without delay, but not later than 60 days from the date of the breach discovery. A breach is considered to be “discovered” when at least one employee of the entity knows of the breach. This does not include the person responsible for the breach.

(2) Covered Entities HIPAA Breach Notification: Covered entities are required to notify affected individuals following the discovery of a breach of unsecured PHI. The CE must provide the individual notice in written form by first-class mail. Notices by email are permissible if the affected individual has agreed to receive notices electronically.

What about Business Associates?

(1) Business Associates HIPAA Breach Notification: If a breach of unsecured PHI occurs by a business associate, the BA must notify the CE following the discovery of the breach. A business associate must provide notice to the covered entity no later than 60 days from the day of discovery of the breach. BAs are required to provide the identification of each individual affected by the breach. The covered entity is responsible for ensuring the individuals are notified of a breach by a business associate even if the covered entity is charged with the responsibility of providing individual notices to the business associate.

(2) Out-of-date Information: If the CE or BA has insufficient or out-of-date information for more than 10individuals, the CE must provide a substitute individual notice by one of two methods. It may post the notice on the home page of its website for at least 90 days. Or it may provide the notice in major print or broadcast media where the affected individuals reside. This notice must include a toll-free number that remains active for at least 90 days. If the CE or BA has insufficient or out-of-date information for less than 10 individuals, the covered entity may provide a substitute notice by an alternative form of written, telephone, or other means of notification.

HHS Wall of Shame

As required by section 13402(e)(4) of the HITECH Act, the Secretary posts a list of HIPAA breaches of unsecured protected health information affecting 500 or more individuals. These HIPAA breaches can range from a laptop theft to a hacking/IT incident.In 2015 there were over 113 million breaches of individual records reported, and the number of incidents related to “hacking” and “IT incidents” have doubled since 2014. And this only includes breaches involving 500 or more individuals!

Most recently, St. Joseph Health (SJH) has agreed to settle potential violations of HIPAA Privacy and Security Rules following the report that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012. The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information. SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. This plan requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff accordingly.

The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information. Entities must not only conduct a comprehensive HIPAA risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.

As if the headlines today are not scary enough, now we have to be worried – very worried, it seems – about medical device cybersecurity! Reports of hacking and other incidents related to medical device cybersecurity are all over the news lately. Not only does it have a financial impact, but confidentiality and HIPAA issues come up immediately! The first 6 months of 2017 have seen an inordinate number of cybersecurity meltdowns. In addition, other HIPAA breaches and data leaks occur much too often.

In April 2017, hospitals in Europe were shut down by the WannaCry ransomware. At least two contrast agent injectors were compromised as part of that attack.

In 2015, three hospitals suffered data breaches when devices were infected by malware. The devices included a blood gas analyzer and a picture archiving and communications system (PACS) system. In these instances, the malware made its way from the device to other systems in the hospitals, leaving the hospital facing a ransom demand to cleanse its systems. And this happened even though the hospitals had firewalls, intrusion detection and other security tools in place!

In August 2017, the FDA approved a firmware patch to address cybersecurity vulnerabilities in 500,000 pacemakers manufactured by Abbott. The problems were identified over a year ago!

Why are medical devices vulnerable to cyber attacks?

Most of the time, the medical device cybersecurity flaws are due to external software such as Windows. Many devices have Windows operating systems as the interface to the persons operating the equipment. Windows is also used to interface with electronic health record systems. If the device is connected to the internet, a pathway exists for malware to infect the Windows software on the device. Malware can then make its way to other connected devices or applications.

But as the pacemaker issue mentioned above shows, there can also be vulnerabilities in the devices themselves. An investment firm lit a fire when it issued a report a year ago claiming most devices had little to no built-in cybersecurity measures.

What does the government advise about medical device cybersecurity?

Two government agencies are concerned about medical device cybersecurity. The Food and Drug Administration (FDA) has principally been concerned about patient safety. The Office of Civil Rights (OCR) of the Health and Human Services Department (HHS) administers the Privacy and Security HIPAA rules.

In its focus on patient safety, the FDA did not focus much on the HIPAA security issues related to medical device cybersecurity. The FDA expanded its view of medical device cybersecurity considerations with its Postmarket Management of Cybersecurity in Medical Devices guidance issued on December 28, 2016. This non-binding guidance advises device manufacturers to consider several strategies for reducing medical device cybersecurity risks.

Maintaining robust software lifecycle processes that include monitoring third party software components for new vulnerabilities.

Understanding, detecting and establishing communication processes with users when vulnerabilities are recognized.

The 4 things medical device users should do

First, ask vendors how they are implementing the FDA Postmarket Management Guidance. In this day and age, there is really no excuse for not keeping third party software like Windows up to date.

Second, expand the information you keep in your inventory of medical devices to include several factors, including:

The risk of each device, e.g., use of third party software, connection to the internet, etc.

The type of data kept on the device, whether it is static or dynamic.

The security controls that exist on the device, e.g., encryption, use of passwords, etc.

Third, include medical devices with third party software in the periodic HIPAA Security Rule Risk Assessment you perform.

Fourth, keep a sharp eye out for communications about vulnerabilities of your medical devices – and for patches to firmware that can improve the resistance of devices to hacking.

Medical device cybersecurity is not a particularly glamorous issue, but paying attention to it is vital in this environment. Hospitals have long had to keep electrical/electronic equipment safe to use around patients. Cybersecurity is just another part of that culture of safety.

In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.

Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.

In response to growing concerns of data interception, Congress passed HIPAA: the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patient’s privacy.

Email is not secure

In general, email communication is not secure for two reasons:

The data isn’t encrypted by default.

It’s impossible to tell if the receiver is the intended recipient.

Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher (a code) that both sender and recipient know. Anyone without the cipher will only see gibberish.

By default, most email clients do not encrypt your communications. This includes the popular web-based email clients like Outlook, Gmail, and Yahoo. However, some of these services offer paid features that comply with HIPAA regulations.

Furthermore, there’s never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.

Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.

Here’s how to stay compliant with your electronic communications.

Encrypt everything

Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s a simple process to have a scanned document/image sent to your storage location via encrypted email. Speak with your IT professional to set this up.

Protected health information (PHI) must be protected at rest and transit. This means it must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.

The person conducting the transmission is the liable party. As a non covered entity or business associate, a replying patient isn’t bound by HIPAA regulations. You are only responsible for your emails’ security.

While HIPAA does not require that you encrypt every device and storage location, it would be silly not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes and tedious litigation. Even if you technically followed the rules, you could still upset your patients if data were exposed.

It isn’t necessary to use a dedicated service to send HIPAA compliant emails. These services work, but with some added expense.

Some email clients allow for configurations that satisfy the law. For example, the desktop client Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.

While encryption is important, it’s worth mentioning that HIPAA doesn’t require you to encrypt interagency emails. If you send an email to a colleague on the same secure server, no encryption is necessary. However, best practice is to encrypt everything to be safe.

If a patient is unable to accept encrypted communications, they can waive their right to privately receive emails from you. In this case, you can use any means of communication that works for you and the patient. Just make sure to have them sign a consent form and save it.

Get the patient’s consent

Consent is an important part of privacy. You can ensure you have the right contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.

On the form, explain to the patient the inherent risks of electronic communication. Offer some advice on safeguarding their computer to ensure their emails aren’t accessed by other people.

I recommend having your attorney evaluate a consent form before you send it to your patients.

Here’s a template to give you an idea of what it looks like. For best results, use an online intake form with e-signature capabilities (like ours).

Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you’ll want to be able to show that you had their permission.

When a patient initiates an email conversation, it’s safe to assume they permit that type of communication (unless they have previously expressed otherwise). Still, you must treat secure these emails like any other.

If a patient hasn’t agreed to communicate electronically, never contact them through email.

Include a privacy statement with each email

Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell them who to report the email to if they are not the correct recipient.

The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they are doing so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.

If your email needs are simple, this can be done by adding a signature to your emails through your client. If you work in a larger practice, speak with your IT professional to ensure that all emails include this statement.

That said, email disclaimers are not a substitute for properly encrypted PHI emails. The purpose of the disclaimer is simply to inform. It does not absolve you of responsibility in any way.

Use an email provider that signs a Business Associate Agreement

A Business Associate Agreement is a HIPAA requirement for email providers. There are countless services that specialize in HIPAA compliant communications for healthcare providers. Each come with their own features.These agreements do not come standard with free email clients, but many paid versions offer this service.

If a provider does not sign this agreement, they are noncompliant. Do not assume an email service provider has signed an agreement unless it is clearly advertised on their website.

Develop an office policy

It’s important to have a clearly defined policy for your staff or colleagues regarding protected health information (PHI). A casual discussion isn’t enough. You need procedures.

In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI (mental health issues, for instance) to in-person meetings only.

Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.

You can use email securely and still remain compliant with HIPAA. Here are seven tips for securely using email in a HIPAA-compliant organization.

1) Get consent

Get a patient’s written consent before sending them email. A good email consent form will explain the risks of communicating via email, explain how and why you’ll use email, explain how patients should safeguard their computer, and get the patient’s signature. Search the internet for “email consent form” to find lots of templates you adapt. It also can’t hurt to have your lawyer review the form before you start using it.

Do something with the patient’s consent.

Write a procedure for staff to follow when handling consent forms that patients fill out. This is important for two reasons: (1) It’s the only way to be sure that you’re actually honoring the patient’s wishes about email communication, and (2) If you are ever audited or experience a security breach, it will be important to have a written procedure as evidence to prove that you’re handling email securely.

2) Policy: define what staff are allowed to do with email.

Your policy should define which email addresses and devices should be used to send PHI, what information should never be sent via email (e.g., mental health and substance abuse info), and who they are allowed to email (patients, other providers, etc.).

3) Have a privacy statement at the end of emails.

A privacy statement should be automatically appended to the end of every outgoing email. Your statement reminds recipients that email is inherently insecure, states that the email is privileged and confidential, and tells the recipient who to contact if they are not the right person. Speak with your email / IT provider – they should be able to set this up for you.

4) Say yes to Business Associate Agreements.

HIPAA Business Associate Agreements are required under HIPAA. Don’t use an email provider who refuses to sign HIPAA Business Associate agreements for your medical practice. Paid Google and Office365 services will sign such an agreement. Free services like free Gmail, Yahoo Mail, Hotmail/Outlook.com won’t.

5) Say no to any company that won’t sign a BAA.

Companies will give you all sorts of reasons as to why they won’t sign a Business Associate agreement. Here are a few that we’ve heard:

“Our lawyers say we don’t need one.”

“We never open your emails, so we’re not a Business Associate.”

“None of our thousands of customers have ever asked us to do that.”

“We’re a ‘conduit’, not a business associate.”

These are all nonsense. There are plenty of providers out there who are willing to sign a Business Associate agreement. If a vendor’s not, you’re either speaking to the wrong person within the company, or there’s a reason that they won’t. Walk away and go find a vendor that knows how to support healthcare organizations.

6) Encrypt email with PHI or PII.

Let’s say you’re emailing a patient with the results of a lab test. You need to be as sure as can be that your patient is actually sitting at the computer when that email is opened AND that nobody else read the email in between your computer and theirs.

Using a secure email gives you that level of assurance – the message is encrypted when it leaves your computer, and can’t be read by anyone except your patient who has a password that only she or he knows. That means anyone trying to read it along the way will only see nonsense.

7) Better yet, automatically encrypt any sensitive email.

The best systems will automatically read your email on the way out, look for sensitive terms (like social security numbers, diagnoses like “diabetes,” medication names like “Zoloft,” etc.), and automatically send these encrypted and securely. These systems are great because they remove the chance of making mistakes – emails to your spouse about dinner plans are sent normally, but emails about patients, treatments, diagnoses, and lab tests are sent securely.

Since the start of 2017 alone, HIPAA enforcement trends have indicated that this could be the most costly year for fines in history.

HIPAA, as a regulation, is managed by the Department of Health and Human Services (HHS). HHS designs and enacts policy and guidance about emerging trends in health care IT, patient privacy, and data security. The Office for Civil Rights (OCR) is the HHS body responsible for HIPAA enforcement and investigation.

HIPAA Fines by Year

OCR has been cracking down on HIPAA enforcement significantly in the past few years.

Compare these HIPAA fine totals by year:

2015: $6,193,000

2016: $23,504,800

2017: $17,093,200

So far, in the first six months of 2017 alone, fines have increased by almost 300% over 2015’s fine total. And if the trend continues, 2017 is very likely to outpace 2016’s record-breaking $23 million as well.

Why the Increase in HIPAA Enforcement?

When OCR begins a HIPAA investigation for a violation or breach, it can take 3-4 years to reach settlement with the organization under investigation.

Four years ago in 2013, HHS released its Omnibus Rule. The Omnibus Rule made it mandatory for HIPAA business associates to be compliant with HIPAA regulation. For background: a covered entity is a health care provider, and a business associate is a vendor hired by that provider.

In the past year, many of the multi-million dollar fines levied by OCR have been the direct result of BA non-compliance. If a covered entity shares health care information with a BA without first executing a business associate agreement, the sharing of that data is considered a violation of HIPAA and is subject to significant fines. In cases where OCR detects “willful neglect” of HIPAA regulation, fines can reach up to $50,000 per incident.

With HIPAA enforcement trending toward stricter and more severe financial penalties for improper relationships with BAs, it’s no wonder why fines have been steadily increasing year after year. Now that some of the major OCR investigations involving BA non-compliance have started reaching settlement, behavioral health providers need to ensure that their relationships with their vendors are lawful under the HIPAA Omnibus Rule.

Phase 2 HIPAA Audits are targeting random health care practices and organizations around the country. Having an effective HIPAA compliance program is the easiest way to pass your audit–read on to find out what you can to protect your behavioral health practice!

Upcoming Phase 2 Audit Protocols

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) first announced this new round of random audits in 2016. Phase 2 is the second time in OCR’s history that it has instituted a random audit program. Phase 1 HIPAA Audits were rolled out in 2011 and affected a similar number of health care providers across the country.

OCR has designed these Phase 2 audits to target a broad selection of HIPAA-beholden health care organizations. That includes both Covered Entities (CEs) and Business Associates (BAs).

HIPAA defines a Covered Entity is any health care provider, including Behavioral Health specialists, who create protected health information (PHI). PHI is any health data that can be used to identify a patient (including name, date of birth, social security number, address, medical data, etc.). HIPAA defines a Business Associate as any organization that encounters PHI over the course of the work it has been hired to do (examples include billing firms, cloud storage providers, faxing, shredding, copying, and IT providers, to name a few).

So how do you know if your behavioral health organization has been selected for a Phase 2 HIPAA audit?

OCR will reach out to your organization via email if you have been randomly selected for an audit. You should look out for emails from “OSOCRAudit@hhs.gov“.

Once you’ve been contacted for an audit, you will have 10 days to respond to OCR’s request for information. If your organization does not respond for any reason, federal investigators will continue to contact your organization until they receive a response–this includes finding publically available information to call or contact you.

One of the first things federal investigators will ask for is a complete list of your organization’s business associates, with contact information for each. Identify your business associates now so that you’re prepared for these upcoming HIPAA audits.

Additionally, your organization must have a HIPAA compliance program in place with full documentation that can be provided for OCR investigators.

Desk Audits vs. Onsite Audits

Phase 2 HIPAA Audits consist of a number of different stages.

The first stage is desk audits, which are a series of remote audits. OCR investigators will contact your organization via email and you’ll be prompted to send the appropriate information. Investigators will not come to your physical location, but you’ll still be required to comply with the investigation.

Onsite audits are another means of investigation that OCR is set to pursue in 2017. Onsite Phase 2 HIPAA Audits will require federal OCR investigators to come onsite to inspect your organization. They will be checking your level of compliance with HIPAA regulation.

Sharing your scoops to your social media accounts is a must to distribute your curated content. Not only will it drive traffic and leads through your content, but it will help show your expertise with your followers.

Integrating your curated content to your website or blog will allow you to increase your website visitors’ engagement, boost SEO and acquire new visitors. By redirecting your social media traffic to your website, Scoop.it will also help you generate more qualified traffic and leads from your curation work.

Distributing your curated content through a newsletter is a great way to nurture and engage your email subscribers will developing your traffic and visibility.
Creating engaging newsletters with your curated content is really easy.